2-round Substitution-Permutation and 3-round
Feistel Networks have bad Algebraic Degree
Didier Alqui´
e
DGA, CELARdidier.alquie@laposte.net
February 5, 2010
Abstract
We study algebraic degree profile of reduced-round block cipher schemes. We show that the degree is not maximal with elementary combinatorial and algebraic arguments. We discuss on how it can be turned into distin-guishers from balanced random functions.
1
Introduction
1.1
Context and related works
Generic Feistel schemes have received much attention, probably due to the par-ticular esssential structure that each round identically copies half the entry. Al-though SP-schemes give the feeling that every bit of input data “goes through” a non linear boolean function, Feistel schemes give the feeling that this non linear crossing only occurs one round out of two for any given input bit. Indeed, the security of reduced round generic Feistel schemes has been stud-ied under well defined security models. Since the original paper by M. Luby and C. Rackoff [1], various contributions by Patarin and al. [2, 3, 4, 5] show how such schemes are “different”, in fact distinguishable, from random permu-tations. These papers give the complexities of various distinguishers, in terms of adversary model, amount of known data or chosen queries to an oracle, and negligible error probability.
In the present paper, we stress that the Feistel structure but also SP schemes induces abnormal behaviour of algebraic degrees. More precisely, we proove that algebraic degrees on – very – reduced round is always sub optimal, making the corresponding scheme indeed different from a random permutation. The work essentially relies on intrinsic properties of boolean functions. It is strongly related to evaluation of the algebraic expression of the whole scheme as a boolean function. Thus, unfortunately, it requires a irrelevant number of queries and, in this way, cannot pretend to turn into any efficient distinguisher. Nevertheless, it lightens algebraic features that come to confirm previously known generic weaknesses on Feistel schemes. Besides, this “algebraic-degree” approach is, up to our knowledge, an original point of view.
1.2
Outline
Paper is organized as follows. Section 2 introduces notations and definitions. In section 3, we give some easy but useful results on boolean functions with possibly multiple output bits, the proofs of which are gathered in appendix A. Section 4 studies the algebraic degree profile of a 2-round SP network, as Sec-tion 5 gives the analogue for a 3-round Feistel network. SecSec-tion 6 discusses some consequences on distinguishing those reduced-round block ciphers from random functions. The results in their brute form appear to be inefficient to this purpose, possible directions are proposed for further research.
2
Notations and definitions
Let Fn2 be n-dimensionnal vector space over the finite fieldF2, and define the
partial order in Fn
2 byxy⇔ ∀i= 1, . . . , n, xi≤yi.
We deal with boolean functions with mulitple, sayn(>1) input bits, and pos-sibly multiple output bits. We refer to a boolean function with single (resp. multiple) output bit(s) as ascalar (resp. vectorial) boolean function. The sup-port (resp. weight) of a scalar boolean function denotes the set f−1(1) (resp.
the cardinality of the latter) and is denoted by Supp(f) (resp. wt(f)).
Every scalar boolean function f(x1, . . . , xn) can be uniquely represented by
its algebraic normal form (ANF), a multivariate polynomial in the quotient polynomial ringF2[x1, . . . , xn]/(x21+x1, . . . , x2n+xn):
f(x1, . . . , xn) =
X
(u1,...,un)∈Fn2
au1,...,unx
u1 1 . . . x
un
n
Note thatxu1 1 . . . x
un
n = 1 if, and only if for everyi= 1, . . . , n,xi= 1 whenever ui= 1.
Thealgebraic degree off is the maximum degree of monomialsxu1 1 . . . x
un
n for
whichau1,...,un is not zero. It isdenoted by deg(f).
2.1
The Mobius transform
Recall that the so calledMobius transform gives a correspondance between the list of the values of the function f and the list of its ANF coefficients. More precisely, it goes from one list to the other by the way:
∀(u1, . . . , un)∈Fn2, au1,...,un=
X
(x1,...,xn)(u1,...,un)
f(x1, . . . , xn)
∀(x1, . . . , xn)∈Fn2, f(x1, . . . , xn) =
X
(u1,...,un)(x1,...,xn)
au1,...,un
For x= (x1, . . . , xn) andu= (u1, . . . , un)∈Fn2, define the symbolic xu to be
the monomialxu1
1 . . . xunn in the aformentionned quotient polynomial ring.
Here we borrow the notation of indicator function, and denote generically 1(A) for the boolean number that is 1 (resp. 0) if propositionAholds (resp. does not hold). It permits a very compact rewriting of all these properties. First, xu=
can be rewritten itself in a short way:
∀u∈Fn
2, au=
X
x∈Fn2
f(x)1(xu)
∀x∈Fn2, f(x) = X
u∈Fn2
au1(ux)
The reason why we want to point out this compact writing is actually an epiphe-nomenon: in our feeling, it makes it easier to formally write the proof of these equalities. Indicator function notation is generally easy to handle formally, even if it is not the most concrete writing in this particular case.
3
Results on balancedness of boolean functions
In this section we give a few basic results on the relationship between algebraic degree and balancedness of boolean functions. We make intense use of those results in the following sections, and therefore we have decided to summarize them in the present section, pushing their proofs away to the appendix. We show that the balancedness of vectorial boolean functions is closely related to the balancedness of (scalar) nonzero linear forms of their output bits. We also establish a nice result about balancedness of pointwise products of the output bits. We finally formulate the properties in the specific case of n-variables bijections.
Let us start with a lemma. It is rather elementary, but the subsequent results of this section largely make use of it.
Lemma 1 Let f be a scalar (ie with single output bit) boolean function with
n >1 input bits. Then:
(i) the coefficient of the monomialx1. . . xnin the ANF offis equal toPx∈Fn 2 f(x).
(ii)deg(f)≤n−1 if, and only if wt(f)is even.
(iii) if f is balanced, thendeg(f)≤n−1.
Proof See appendix A. 2
We now come out with vectorial boolean functions, ie having multiple, sayt, output bits instead of a single one. We still denote the number of input bits by
n, and we assume thatt ≤n. If f is such a function, we will write f1, . . . , ft
for the components off, that of course are themselves scalar boolean functions. Balancedness generalizes very naturally and we will say thatf is balanced if all
y∈Ft2 have the same number of preimages byf inF
n
2, that is ∀y∈Ft2,#{x: x∈Fn2, f(x) =y}= 2n−t.
Note that it indeed forcestto be≤n. We are now ready to give the
Proposition 2 Let 1 < t ≤ n be two integers, and f : Fn
2 → Ft2 be a
vecto-rial boolean function with scalar components f1, . . . , ft. Then the following two
(1)f is a balanced function;
(2) every nonzero linear form of the outputs off is balanced, ie∀(λ1, . . . , λt)∈
Ft2− {0, . . . ,0}, x7→λ1f1(x)⊕. . .⊕λtft(x)is balanced.
Proof See appendix A. 2
Corollary 3 Assume (1) or, equivalently, (2) holds in proposition 2. Then every linear form of the outputs off is a boolean function with algebraic degree
≤n−1.
Proof From proposition 2, every linear form of the outputs off is either null, either balanced. In the latter case, lemma 1(iii) applies. 2
We now give a result about the pointwise product of balanced boolean functions. The pointwise product of two scalar boolean functions f and g is defined by
f g:x7→f(x)g(x). Since Supp(f g) = Supp(f)∩Supp(g), there is no systematic relation between balancedness off g and the one of f andg. Moreover, in the case when f and g are balanced, f g cannot be balanced unless we are in the “degenerate” case wheref =g. Nevertheless, we are able to proove a nice result on the algebraic degree of a product of some balanced functions, provided the number of factors in the product is not too much. Let us state it precisely.
Proposition 4 Let 1 < t≤n be two integers, and f :Fn2 →F
t
2 be a vectorial
boolean function with scalar components f1, . . . , ft. Assume that f is balanced.
Then all the pointwise products fi1. . . fir, with 1≤i1<· · ·< ir ≤t, 1≤r≤
min(t, n−1) have algebraic degree≤n−1.
Proof See appendix A. 2
A particular case we are interested in is the one where f is bijective mapping ofFn2. We have the
Corollary 5 Let f be an-variable bijection. Then
(i) any nonzero linear form of thefi’s,
(ii) any product of at mostn−1 fi’s have degree≤n−1.
Proof (i)comes from lemma 1 and proposition 2 put together, while(ii)follows
from proposition 4. 2
4
2-round SPN
4.1
Description
Letn=qmthe blocksize of a SP network, each round of which is composed as follows:
• a non linear layer composed byq parallel substitutions boxes S1, . . . , Sq.
• a linear layer composed by a invertible linear mappingLonFn
2, the
struc-ture of which is not relevant for our proof.
LetX = (x1, . . . , xn) be the input variables. The following equations describe
the 2-round SP scheme, and introduce intermediate variablesY = (y1, . . . , yn),
Z = (z1, . . . , zn), T = (t1, . . . , tn) as well as final output U = (u1, . . . , un).
Eachn-bit vector is naturally divided intoqgroups ofmvariables. For instance (x1, . . . , xn) is divided into (x1, . . . , xm), (xm+1, . . . , x2m),. . . ,(x(q−1)m+1, . . . , xqm),
and these subvectors will be denotedX1, . . . , Xqrespectively. An analogous
con-vention definesY1, . . . , Yq,Z1, . . . , Zq,T1, . . . , Tq, andU1, . . . , Uq.
(First round)
(Non linear layer)
(y1, . . . , ym) = S(x1, . . . , xm) . . .
(y(q−1)m+1, . . . , yqm) = S(x(q−1)m+1, . . . , xqm)
(Linear layer)
(z1, . . . , zn) =L(y1, . . . , yn)
(Second round)
(Non linear layer)
(t1, . . . , tm) = S(z1, . . . , zm)
. . .
(t(q−1)m+1, . . . , tqm) = S(z(q−1)m+1, . . . , zqm) (Linear layer)
(u1, . . . , un) =L(t1, . . . , tn)
(1)
Λ denotes the matrix ofL in the canonical basis of Fn2. We will make explicit
use of (Λi,j)1≤i,j≤q, that areq2 squarem×m submatrices of Λ defined by
Λ =
Λ1,1 . . . Λ1,q
..
. ... Λq,1 . . . Λq,q
.
With all our notations, the following four writings have the same meaning:
(z1, . . . , zn) =L(y1, . . . , yn),
(z1, . . . , zn) = (y1, . . . , yn).Λ,
Z1 = Y1.Λ1,1⊕. . .⊕Yq.Λq,1
. . .
Zq = Y1.Λ1,q⊕. . .⊕Yq.Λq,q.
(z1, . . . , zm) = (y1, . . . , ym).Λ1,1⊕. . .⊕(y(q−1)m+1, . . . , yqm).Λq,1,
. . .
(z(q−1)m+1, . . . , zqm) = (y1, . . . , ym).Λ1,q⊕. . .⊕(y(q−1)m+1, . . . , yqm).Λq,q,
Here each vector is identified with a row-matrix, and (y(i−1)m+1, . . . , yim).Λi,j= Yi.Λi,j represents a (row) vector-matrix product (with compatible sizes as easily
4.2
Statement
We aim to study the algebraic degree ofY, Z, T, U as (multivariate polynomial) expression of the input variablesx1, . . . , xn. The following theorem summarizes
the results, while next subsection is devoted to the proof.
Theorem 6 Let equations (1) define a 2-round SP network withn=qm vari-ables. Put X = (x1, . . . , xn) the input variables, and consider Y, Z, T, U as
algebraic expressions of the xi’s. Then:
(i)deg(Z) = deg(Y)≤m−1;
(ii)deg(U)≤deg(T)≤q(m−1);
4.3
Proof of theorem 6
Since Z (resp. U) is linearly computed from Y (resp. T), it is clear that deg(Z)≤deg(Y) (resp. deg(U)≤deg(T)). Now let us examine the degrees of
Y andT.
(i) The degree of Y is≤m−1
Y1= (y1, . . . , ym) only depends on variablesx1, . . . , xm. SinceS is a bijection,
the degree of each yi is ≤ m−1. The same argument holds for Y2, . . . , Yq,
completing the proof of the statement forY.
The degree ofZ is equal to the one ofY EachZi is a linear form of theYj (via
the matrix Λ). But the subsets of variablesxj that are involved in expression of theYj are pairwise disjoint, such that terms of degree max can not cancel each other when linearly combined.
(ii) The degree of T is≤q(m−1)
We will proove that the partial degree degXi(Tj) is ≤m−1 for 1 ≤i, j ≤q.
We write the proof fori= 1, the general case works in a similar way.
Fix j0 ∈ {1, . . . , q}. Consider the ANF of Tj0 as a polynomial of variables
x1, . . . , xm with coefficients that are themselves multivariates polynomials in
variables xm+1, . . . , xqm. Leth(xm+1, . . . , xqm) be the coefficient of the
mono-mialx1. . . xm. Now write
Tj0 = S(Zj)
= S(Y1.Λ1,j0⊕. . .⊕Yq.Λq,j0)
= S(S(X1).Λ1,j0⊕. . .⊕S(Xq).Λq,j0)
= S(S(x1, . . . , xm).Λ1,j0⊕. . .⊕S(x(q−1)m+1, . . . , xqm).Λq,j0) (2)
Fixxm+1, . . . , xqm to any numerical valuex∗m+1, . . . , x∗qm ∈F
(q−1)m
2 , and put
Tj∗0 = S(S(x1, . . . , xm).Λ1,j0⊕S(x
∗
m+1, . . . , x
∗
2m).Λ2,j0⊕. . . ⊕S(x∗(q−1)m+1, . . . , x∗qm).Λq,j0).
The multivariate polynomial function (x1, . . . , xm)7→Tj∗0 is bijective, as
equa-tion (2) easily shows that it is a composiequa-tion of bijecequa-tions. It follows that the degree ofTj∗
0 with respect tox1, . . . , xmis≤m−1. Then, the ANF ofT
∗
j0 does
other words, h(x∗m+1, . . . , x∗qm) = 0. Now the crucial point is that this latest equality holds foranyfixed numerical choice ofx∗m+1, . . . , x∗qm, and thereforeh
is identically zero as a multivariate polynomial in the variables xm+1, . . . , xqm.
We finally get thatTj0is a multivariate polynomial in variablesx1, . . . , xnwhose
partial degree with respect to the first groupX1= (x1, . . . , xm) of variables is ≤m−1,iethat does not contain any monomial in which the variablesx1, . . . , xm
all appear.
An identical argument prooves that, in fact,Tj0has partial degree≤m−1 with respect to every group Xi, i = 1, . . . , q. In other words, the ANF of Tj0 does not contain any monomial in which all the variables of a given groupXiappear, for anyi= 1, . . . , q. It finally follows that the ANF ofTj0 does not contain any monomial whose total degree strictly exceedsq(m−1), and that completes the proof of the statement forT.
4.4
What about going further ?
We briefly explain the reason why the argument collapses at round 3. We have, for example
U1=T1.Λ1,1⊕. . .⊕Tq.Λq,1
We have proved, as intermediate steps of previous lines, that X1 7→ T1, . . . ,
X17→Tq are bijective mappings, but there is no reason that their sum should
still be a bijective mapping (the only property that is preserved by summing bijective mappings altogether is that their degree remains ≤m−1). In other words, the mapping
X17→S(U1) =S(T1.Λ1,1⊕. . .⊕Tq.Λq,1)
can be non bijective, and then can contain monomials of (maximal) degreem. The only upper bound we can easily deduce is that the degree of the global 3-round SP output is≤qm−1, since the global SP is bijective and hence balanced. Actually, we performed experiments on toy examples and they showed that the latter bound can be reached.
5
3-round Feistel
5.1
Description
Let n= 2m be an even integer. Define the following 3-round Feistel on n-bit blocks:
L1=R0, R1=L0⊕f(R0),
L2=R1, R2=L1⊕g(R1),
L3=R2, R3=L2⊕h(R2).
(3)
where the 3 round functionsf, g, hare assumed to bem-variable bijections. We set
(L0, R0) = (x1, . . . , xn),
(L1, R1) = (y1, . . . , yn),
(L2, R2) = (z1, . . . , zn),
Throughout this section, the “algebraic degree” of any expression is meant with respect to - explicit or implicit - variablesx1, . . . , xn in the algebraic expansion
of the expression.
5.2
Statement
We aim to study the algebraic degree of (Li, Ri)’s as (multivariate polynomial)
expression of the input variablesx1, . . . , xn. SinceLi=Ri−1, it suffices of course
to study the degree of theRi’s. The following theorem summarizes the results,
while next subsection is devoted to the proof. Some remarks mention results for partial degrees (with respect tox1, . . . , xmon one hand, andxm+1, . . . , x2m
on the other hand) of the Ri’s.
Theorem 7 Let equations (3) define a 3-round Feistel scheme with n = 2m
variables. Put (L0, R0) = (x1, . . . , xn), and consider R1, R2, R3 as algebraic
expressions of the xi’s. Then:
(i)deg(R1)≤m−1;
(ii)deg(R2)≤2m−3;
(iii)deg(R3)≤2m−2;
5.3
Proof of theorem 7
(i) The degree of R1 is≤m−1
We have
(ym+1, . . . , y2m) = (x1, . . . , xm)⊕f(xm+1, . . . , x2m), (4)
ie
ym+1 = x1⊕f1(xm+1, . . . , x2m) . . .
y2m = xm⊕fm(xm+1, . . . , x2m)
(5)
f is a m-variable bijection, hence eachfi has degree≤m−1 (corollary 5) and
therefore, eachyi, i=m+ 1, . . . ,2mhas itself degree ≤m−1.
Remark. Results for partial degrees can be established here directly from the algebraic expression ofR1. We have:
degx1,...,xm(R1) = 1,
degx
m+1,...,x2m(R1) = max(deg(f1), . . . ,deg(fm))≤m−1.
(ii) The degree of R2 is≤2m−3
We compute R2 as a function ofxi’s. We have
(zm+1, . . . , z2m) = (y1, . . . , ym)⊕g(ym+1, . . . , y2m)
= (xm+1, . . . , x2m)⊕g((x1, . . . , xm)⊕f(xm+1, . . . , x2m))
ie
zm+1 = xm+1⊕g1((x1, . . . , xm)⊕f(xm+1, . . . , x2m)) . . .
z2m = x2m⊕gm((x1, . . . , xm)⊕f(xm+1, . . . , x2m))
Let us examine the expression ofzm+k, fork= 1, . . . , m. Sincegis am-variable
bijection, eachgk, k= 1, . . . , mis balanced and its ANF only contains terms of
degree≤m−1. Write
gk(ξ1, . . . , ξm) =
X
0≤r≤m−1
X
1≤i1<···<ir≤m
α(ik)
1,...,irξi1. . . ξir
wherer= 0 corresponds to the constant termgk(0, . . . ,0). We derive
gk((x1, . . . , xm)⊕f(xm+1, . . . , x2m))
= gk(x1⊕f1(xm+1, . . . , x2m), . . . , xm⊕fm(xm+1, . . . , x2m))
= X
0≤r≤m−1
X
1≤i1<···<ir≤m
α(ik)
1,...,ir
(xi1⊕fi1(xm+1, . . . , x2m)). . .(xir⊕fir(xm+1, . . . , x2m))
(7)
A basic development of the right hand side raises terms of the form
xi1. . . xirfj1(xm+1, . . . , x2m). . . fjs(xm+1, . . . , x2m) (8)
with
1≤i1<· · ·< ir≤m,
1≤j1<· · ·< js≤m,
r+s≤m−1.
The degree of eachfj is≤m−1 becausef is bijective. The same holds for the products of fj’s, because there ares≤m−1 factorsfj’s and thus corollary 5 applies. We get the following upper bound for the degree of each term (8):
• ifs= 0, then r≤m−1 and
deg(term (8)) =r≤m−1;
• ifs= 1, then r≤m−2 and
deg(term (8))≤r+ deg(fj1)≤(m−2) + (m−1) = 2m−3;
• ifs≥2, thenr≤m−3 and
deg(term (8))≤r+deg(product of several fj’s)≤(m−3)+(m−1) = 2m−4.
We have proved that deg(gk((x1, . . . , xm)⊕f(xm+1, . . . , x2m)))≤2m−3, and
so is deg(zm+k), for k= 1, . . . , m. That completes the proof of the statement
forR2.
Remark. Consider equation (6) and write it in the following compact form :
R2=R0⊕g(L0⊕f(R0)).
If we fix R0, the partial functionL0 7→R0⊕g(L0⊕f(R0)) is bijective onFm2
because g is. Hence its degree (more exactly, the degree of each of its scalar component) is less than m−1. In similar way, if we now fix L0, the partial
its degree is ≤m−1, and so is the degree ofR0 7→R0⊕g(L0⊕f(R0)). We
conclude:
degx1,...,xm(R2) ≤ m−1,
degx
m+1,...,x2m(R2) ≤ m−1
Hence any monomial ofR2 cannot contain the whole “left” (nor “right”)
vari-ables, ie no monomial is multiple of x1. . . xm (nor multiple of xm+1. . . x2m).
What is remarkable from the upper bound for total degree ofR2is that
when-everm−1 “left” (resp. “right”) variables appear in a given monomial, then at mostm−2 “right” (resp. “left”) ones appear in the same monomial. In other words, there is no monomial containing m−1 left variables and m−1 right variables simultaneously.
(iii) The degree ofR3 is≤2m−2
We have
(tm+1, . . . , t2m) = (z1, . . . , zm)⊕h(zm+1, . . . , z2m) (9)
ie
tm+1 = z1⊕h1(zm+1, . . . , z2m) . . .
t2m = zm⊕hm(zm+1, . . . , z2m)
(10)
Note that z1, . . . , zm are degree ≤ m−1, because of the bound on R1 and
R1=L2 = (z1, . . . , zm). Hence, to proove the statement, it suffices to proove
thathk(zm+1, . . . , z2m), fork= 1, . . . , m, have degree≤2m−2 (recall that the
degree of any expression is meant with respect to the – implicit – variablesxi’s). We will use the same strategy as previously. Actually, it will not work exactly in the same way, and will require some refinement.
First we “slide” expression (7) one round forward. What we mean is that (7) is still valid when moving:
• xi toyi;
• gk tohk (and moving theα’s coefficients to some new ones, sayβ’s);
• fi togi.
This rewriting gives
hk(y1⊕g1(ym+1, . . . , y2m), . . . , ym⊕gm(ym+1, . . . , y2m))
= hk(0, . . . ,0)⊕ X 1≤r≤m−1
X
1≤i1<···<ir≤m
βi(k)
1,...,ir
(yi1⊕gi1(ym+1, . . . , y2m)). . .(yir⊕gir(ym+1, . . . , y2m)) (11)
Then we have to examine terms of the form
yi1. . . yirgj1(ym+1, . . . , y2m). . . gjs(ym+1, . . . , y2m) (12)
with
1≤i1<· · ·< ir≤m,
In the previous case, the crucial point was that the factors xi1. . . xir and
the factors fj1(xm+1, . . . , x2m). . . fjs(xm+1, . . . , x2m) have separate groups of
variables xi – more precisely, the former only contain variables x1, . . . , xm
al-though the latter only contain variables xm+1, . . . , x2m. As (y1, . . . , ym) =
(xm+1, . . . , x2m) this separation no longer holds, and if we expand the left hand
side of (11) with respect to the variables xi, all of them would be mixed alto-gether. Indeed, if the previous strategy could be applied in the same way, we would get that the degree of (11) is≤2m−3, which is not compliant to what we are aiming to proove1.
Let us express the terms (12) with respect to variables xi’s. Using (4) and (y1, . . . , ym) = (xm+1, . . . , x2m), we get expressions of the form
xm+i1. . . xm+ir [gj1. . . gjs]((x1, . . . , xm)⊕f(xm+1, . . . , x2m))
=xm+i1. . . xm+ir g
∗((x
1, . . . , xm)⊕f(xm+1, . . . , x2m)) (13)
with
1≤i1<· · ·< ir≤m,
1≤j1<· · ·< js≤m,
r+s≤m−1.
Hereg∗=gj1. . . gjs denotes the pointwise product of the functionsgj1, . . . , gjs.
The new trick here is that we apply corollary 5 to both product of severalgj’s
andfi’s, sincef andg are bijections : the pointwise products [f`1. . . f`t], with
t≤m−1,1≤`1<· · ·< `t≤marem-variable functions with degree≤m−1,
and so is g∗, as the product ofs≤m−1 functionsgi’s. Now write
g∗(ξ1, . . . , ξm) = X
0≤s≤m−1
X
1≤k1<···<ks≤m
γk1,...,ksξk1. . . ξks,
wheres= 0 corresponds to the constant termg∗(0, . . . ,0). Then (13) becomes
xm+i1. . . xm+ir X
0≤s≤m−1
X
1≤k1<···<ks≤m
γk1,...,kr(xk1⊕fk1(xm+1, . . . , x2m)). . .
(xks⊕fks(xm+1, . . . , x2m))
= xm+i1. . . xm+ir X
0≤s≤m−1
X
1≤k1<···<ks≤m
γk1,...,ks
X
0≤t≤s
X
(`1,...,`s)∈S(k1,...,ks)
x`1. . . x`t [f`t+1. . . f`s](xm+1, . . . , x2m)
= X
0≤s≤m−1
X
1≤k1<···<ks≤m
γk1,...,ks
X
0≤t≤s
X
(`1,...,`s)∈S(k1,...,ks)
x`1. . . x`t xm+i1. . . xm+ir [f`t+1. . . f`s](xm+1, . . . , x2m)
(14)
1The upper bound that we target corresponds to our observations on a toy example, hence
with
1≤i1<· · ·< ir≤m,
1≤j1<· · ·< js≤m,
1≤`1, . . . , `s≤m, `i pairwise distinct, r+s≤m−1,
t≤s.
The summation P
(`1,...,`s)∈S(k1,...,ks)ranges over alls-tuples for which the `i’s
are pairwise disjoint and the set{`1, . . . , `s}is equal to the set{k1, . . . , ks}. The
terms appearing in (14) have the form:
x`1. . . x`t xm+i1. . . xm+ir [f`t+1. . . f`s](xm+1, . . . , x2m) (15)
which we will be refered as “term (15)”. Let us examine their degree:
• ifr= 0, then deg([f`t+1. . . f`s](xm+1, . . . , x2m))≤m−1, becauses−t≤
m−1 and corollary 5. Hence,
deg(term (15)) = t+ deg([f`t+1. . . f`s](xm+1, . . . , x2m))
≤ (m−1) + (m−1) = 2m−2;
• ifr≥1, then on one hand t≤s≤m−1−r≤m−2 and, on the other hand,
deg(xm+i1. . . xm+ir [f`t+1. . . f`s](xm+1, . . . , x2m))≤m
because the degree of any multivariate polynomial expression is always upper bounded by the number of variables. Hence,
deg(term (15)) = t+ deg(xm+i1. . . xm+ir [f`t+1. . . f`s](xm+1, . . . , x2m)) ≤ (m−2) +m
= 2m−2.
That completes the proof of the statement forR3.
RemarkExpression ofR3with respect to (L0, R0) is
R3 = R1⊕h(L1⊕g(R1))
= L0⊕f(R0)⊕h(R0⊕g(L0⊕f(R0)))
If we fixR0, the partial functionL07→f(R0) (resp. L07→h(R0⊕g(L0⊕f(R0))))
is a bijection on Fm2 beacause f is (resp. beacauseg and hare). Hence both
functions have degree≤m−1, and their sumL07→R3has also degree≤m−1,
that is
degx1,...,xmR3≤m−1.
Now if we fix L0, the partial function R0 7→ g(L0⊕f(R0)) is a bijection on
Fm2 , hence has degree≤m−1. Therefore,R07→R0⊕g(L0⊕f(R0)) has itself
degree≤m−1, but is no longer a bijection so that there is no reason a priori
whyR07→h(R0⊕g(L0⊕f(R0))) should be a bijection and should have degree ≤m−1. Indeed, in the experiments we performed, there were some cases where the partial degree wasm.
It is even more remarkable that degree of R3 is ≤2m−2. The facts, that we
• in any monomial, there are at mostm−1 “left” variables that appear;
• there are some monomials multiples ofxm+1. . . x2m, but whenever it
oc-curs, there are at mostm−2 “left” variables appearing in the monomial.
It is also the reason why it is impossible to go further in the sequent rounds. For a 4-round Feistel, the only upper bound we can obtain is that the degree of the output is ≤2m−1, since the global Feistel function is bijective. Actually, we performed experiments on toy examples and they showed that the bound can be reached.
6
Distinguishing aspects
One can be tempted to use the various results on what we could call the “de-gree profile” to distinguish a reduced round Feistel or SP scheme from a random function. Indeed, a random function with nvariables has degree nwith prob-ability 1/2. Of course, the relevance of the distinguishing issue makes sense if one targets to distinguish the scheme from a balanced random function. In this case, the degree cannot exceedn−1, and since there arenmonomials with degree (n−1), the probability for a balanced random function to have degree exactlyn−1 is equal to 1−2−n. A similar argument shows that the probability
degree exactly n−2 is 1−2−n−(n2). These probabilities values are very close
to 1, such that false alarms when applying this distinguisher is of negligible probability.
Unfortunately, the results strongly make use of the ANF ceofficients of the global function, especially the “high-weight” coefficients, that is to say those of monomials of degree nandn−1.
The correspondance formulas between values and ANF coefficients are recalled in section 2. If one examines them carefully, they stress that, givenu∈Fn2, the
ANF coefficientau only depends on the values f(x), where xu. We can say in a certain manner that some ANF coefficients can be computed from a sample of the list of values of f. But, as this “sample” is reduced enough for coeffi-cients of monomial of very low degree, it grows as the degree of the targetted monomial does. And finally, the computation of the degree-nmonomial coeffi-cient requires the complete list of values. Besides, the following combinatorial argument prooves that there cannot exist any trick to get rid of this feature.
Assume that there exist a “sampling” subsetSsuch that the
degree-nmonomial coefficient off, sayc, can be computed from the (sam-pled list of) valuesf(x), x∈S. On the other hand, we still always have
c= X
x∈Fn2
f(x)
Now choose anyx0∈/ Sand flip the corresponding value off. Then
c is itself flipped and the degree of the function is flipped from n
The complexity of all our work seems to be basically lower bounded by the (pre-)computation of the ANF form of the scheme. This is well-known to be feasible in O(n2n) (by a recursive form of the Mobius transform, similar to
fast Discrete Fourier Transform). It turns to be obviously irrelevant since it is greater than the complexityO(2n) of computing the whole dictionnary of the
function. In any case, it cannot compete with the most significant results of the quoted references propose distinguishers, which complexities vary fromO(2n/2)
toO(23n/4), depending on the number of rounds and the model of adversary. Nevertheless, at this point we have not investigated yet the possibility that some relation between thendegree-(n−1) coefficients altogether could be exhibited using an appropriate sampling subset of the values of f. This could be a way for further research. Another direction to investigate comes from examining the partial degrees with respect to some subset of variables (e.g. “left” or “right” subset for a Feistel scheme), to distinguish Feistel or SP schemes from random functions. For example, in the case of Feistel schemes, the partial function w.r.t. “left” variables deals with monomials which degree is at most
n/2, and the complexity to retrieve the ANF coefficients isO(n2n/2). The latter
complexity is significantly lower thanO(n2n), and has same order of magnitude
as literature’s complexities.
Finally, we believe that the same kind of degree-distinguishing can be made efficient if we deal with unbalanced Feistel schemes, as in [4].
References
[1] Luby M., Rackoff C., How to construct pseudorandom permutations from pseudorandom functions, SIAM Journal of Computing, vol. 17, N.2, pp. 373–386, April 1998.
[2] Patarin J., Generic Attacks on Feistel Schemes. Asiacrypt’01 (Lecture Notes on Computer Science 2248), pp. 222–238, Springer.
[3] Patarin J., Security of Random Feistel Schemes with 5 or more Rounds, Crypto’04 (Lecture Notes on Computer Science 3152), pp. 106–122, Springer
[4] Patarin J., Nachef V., Berbain C., Generic Attacks on Feistel Schemes with Expanding Functions,
[5] Patarin J., Generic Attacks on Feistel Schemes, e-print 2008/036.
A
Proof of the results on boolean functions
A.1
Proof of lemma 1
(i) follows from the Mobius inversion applied tou= (1, . . . ,1). (ii) is an easy consequence of (i), since the summation contains wt(f) terms equal to 1 and 2n−wt(f) terms equal to 0. (iii)follows - again elementarily - from(ii) (recall
A.2
Proof of proposition 2
The proof relies on the use the Fourier and Walsh transform. First recall that the Fourier transformfbof a n-variable scalar boolean functionf is defined by
∀v∈Fn
2 fb(v) = X
x∈Fn2
f(x)(−1)x.v
where the computation is performed over the ring of integers, and that we have the Fourier inversion formula:
∀x∈Fn2, f(x) = 2−n X
v∈Fn2 b
f(v)(−1)x.v
The Walsh transform ˜f of a scalar boolean functionf is defined as the Fourier transform of the sign function (−1)f.
∀v∈Fn2 f˜(v) =(\−1)f(v) = X
x∈Fn2
(−1)f(x)+x.v.
The following lemma is straightforward, and we skip its proof.
Lemma 8 The scalar boolean functionf is balanced if and only iff˜(0) = 0.
Now let us come to the proof of proposition 2.
(i) ⇒(ii). Letλ= (λ1, . . . , λt)∈Ft2− {0}. We have
g
λ.f(0) = X
x∈Fn2
(−1)λ.f(x)= X
y∈Ft2
(#f−1(y)) (−1)λ.y
= 2n−tX
y∈Ft2
(−1)λ.y= 0,
as desired.
(ii) ⇒(i). Define g : Ft2 →Z, by y 7→#f−1(y). Let us compute the Fourier
transform of g. For λ 6= 0, we have by assumption λ.f is balanced, then by lemma 8gλ.f(0) = 0, and hence
b
g(λ) = X
y∈Ft2
(#f−1(y)) (−1)λ.y= X
x∈Fn2
(−1)λ.f(x)=gλ.f(0) = 0.
On the other hand,bg(0) =P
y∈Ft2#f
−1(y) = #
Fn2 = 2n.It follows, by Fourier
inversion formula, that
∀y∈Ft2, #f
−1(y) =g(y) = 2−t X
λ∈Ft2 b
g(λ)(−1)λ.y= 2n−t,
as desired.
A.3
Proof of proposition 4
We actually proof that,
∀1≤i1<· · ·< ir≤t, with 1≤r≤min(t, n−1),
It will give the expected conclusion applying (ii) of lemma 1, noting that r≤
min(t, n−1)de facto implies 2n−ris even.
We would like to propose two different proofs. Both use combinatorial argu-ments. The first one is much simpler mainly exploit the vectorial structure of the functionf. The second one is more tricky, it only considers the scalar compo-nentsf1, . . . , ft by themselves, and makes a nice use of inclusion-exclusion-like
argument (what motivated us to propose it as well).
First proof
Fix 1≤i1 <· · · < ir ≤t, with 1≤r≤min(t, n−1). Consider the
“subfunc-tion”f∗:Fn
2 →Fr2, x7→(fi1(x), . . . fir(x)): it is itself balanced, as it is easy to
see appyling criterion (2) of proposition 2. Now, an elementx∈Fn
2 satisfies [fi1. . . fir](x) = 1 if, and only iffi1(x) =· · ·=
fir(x) = 1, that is, iff∗(x) is the “all one” vector (1, . . . ,1) ∈Fr2. Hence the
support offi1. . . fir isf∗ −1((1, . . . ,1) and, sincef∗ is balanced, contains 2n−r
elements.
Second proof
The basic point of the proof is the following
Lemma 9 (i) Basic version: let g and htwo n-variable scalar boolean func-tions. Then
wt(f ⊕g) =wt(f) +wt(g)−2wt(f g)
(ii) Iterative version: let g1, . . . , gs be s n-variable scalar boolean functions.
Then
wt(g1⊕. . .⊕gs) = X
1≤k≤s
wt(gk)−2 X
1≤k1<k2≤s
wt(gk1gk2)
+4 X
1≤k1<k2<k3≤s
wt(gk1gk2gk3)
· · ·+ (−2)s−1wt(g1. . . gs)
Proof (i)It is clear by a inclusion-exclusion principle that
Supp(f⊕g) = (Supp(f)∪Supp(g))−(Supp(f)∩Supp(g)) = (Supp(f)∪Supp(g))−Supp(f g)
from which conclusion follows immediately. (ii) follows recursively from(i). 2
Now, assume that condition (ii) holds in proposition 4. We proove (16) by strong induction onr.
The result holds for r = 1 because of condition (ii). Assume that the result holds up tor−1, that is every product ofs≤r−1fi’s has weight 2n−s. Apply
wt(fi1⊕. . .⊕fir) = X
1≤k≤r
wt(fik)−2 X
1≤k1<k2≤r
wt(fik1fik2)
+4 X
1≤k1<k2<k3≤r
wt(fik1fik2fik3)
+· · ·+ (−2)r−1wt(fi1. . . fir)
Using induction hypothesis, we get:
2n−1 =
r
1
2n−1−2
r
2
2n−2+
r
3
(−2)22n−2
+· · ·+
r
r−1
(−2)r−22n−r+1 +(−2)r−1wt(fi1. . . fir)
such that,
2n−1(1− r
1
+
r
2
−
r
3
+· · ·+ (−1)r−1
r
r−1
) = (−2)r−1wt(fi1. . . fir)
which gives the desired
wt(fi1. . . fir) = 2
n−r
since 1− r
1
+ r2 − r
3
+· · ·+ (−1)r−1 r r−1
+ (−1)r= 0.
Sinces≤r≤min(t, n−1)< n, 2n−r is a even integer and we conclude in the
same way as in the first proof.
Remark
It is easy, using same kind of tricks, to deal with the case wheref is a bijection, and r =n: the support of f1. . . fn is reduced to a single point, precisely the
